SoylentNews is people
SoylentNews
from the government-approved-security-tools dept.
Spiegel Online has a story on just how much of our supposedly secure protocols are routinely cracked by the NSA. The page is worth bookmarking, if for no other reason than the tremendous amount of links to actual NSA documents it contains.
The main points are not new to those of use who have been following this issue for some time. Your VPN is NOT private, your SSL was easily cracked as far back as 2012, and even your SSH sessions are often vulnerable. Skype is a joke, you might as well mail the NSA a transcript.
Some things are still very difficult for them to crack, PGP with good (2048 or 4096) byte keys, OTR settings on chat sessions (XMPP, Jabber, even Google Talk with someone else's client), and TrueCrypt for your disk drives all present significant problems.
NSA cryptologists divided their targets into five levels corresponding to the degree of the difficulty of the attack and the outcome, ranging from "trivial" to "catastrophic."
Monitoring a document's path through the Internet is classified as "trivial." Recording Facebook chats is considered a "minor" task, while the level of difficulty involved in decrypting emails sent through Moscow-based Internet service provider "mail.ru" is considered "moderate." Still, all three of those classifications don't appear to pose any significant problems for the NSA.
Things first become troublesome at the fourth level. The NSA encounters "major" problems in its attempts to decrypt messages sent through heavily encrypted email.
TOR presents problems, but so many of the TOR Exit Nodes are NSA controlled that anonymity of at least one end can't be guaranteed, although a personal encryption layer on top of TOR may provide privacy of content.
Your SSL sessions should not be allowed to sit idle. Tear them down (close the browser) and start a new session. Most of the SSL connections decrypted are resumed sessions. According to one NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012.
Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.
(Score: 2) by buswolley on Tuesday December 30 2014, @03:39PM
This is a Snowden release... I doubt this is misinformation..
...unless you think this from a document which is deliberately lying to other depts. within the NSA.
subicular junctures
(Score: 3, Insightful) by VLM on Tuesday December 30 2014, @04:10PM
If I were in charge of a database like that, I'd be smart enough to salt it. Oh look, access logs show someone looking at my decoy. How interesting. Oh look, my decoy made it out into the real world...
And anyone who thinks departments don't lie to each other never worked at a huge megacorp. After a certain size your enemies are all internal not external. The NSA is bigger.
(Score: 0) by Anonymous Coward on Tuesday December 30 2014, @04:24PM
If I were in charge of a database like that, I'd be smart enough to salt it. Oh look, access logs show someone looking at my decoy. How interesting.
You are just doing that "20/20 hindsight" thing. If that particular database were your one and only responsibility you could afford to play all kinds of tricks with it. But it isn't. In the grand scheme of NSA secrets it was just one of thousands and one thing we learned from the Snowden disclosures is that the NSA's countermeasures for insider threats was minimal.
(Score: 2) by _NSAKEY on Wednesday December 31 2014, @01:53AM
You can't reason with the anti-tor crowd. They always have some half-baked excuse. See the Pando Daily-endorsed hate mob on Twitter if you don't believe me.